I've put in security my Orion (as backend by using Keycloak and Kong), and now I can manage entities and subscriptions through authentication (token).
My question now is how can I also put the notifications (of subscription) in security?
In other words, how can my server trust about of the notification payload sent by Orion? I was thinking of using the custom notification or adopting HTTPS. Could you address me on the right solution? Thanks a lot.
By default, Orion propagates the fiware-service, fiware-servicepath and x-auth-token headers in any given update requests to any notification triggered by such given update.
If that mechanism doesn't suffices, your idea of using custom notifications to add other notification headers (or URL query parameters or whatever used by your notification receiver to authenticate) is valid. You may find interesting the example included in this documentation section which shows how to use custom notification to add an Authorization header.